Important! CounterSpy Definitions 416 False Positives

Hi All:

Definitions 416 for CounterSpy Consumer 1.5 & 2.0 Beta (defs 418 for CSC 1.0) were released Wednesday evening. As a result of an unusual confluence of circumstances, two false positives were incorporated into defs 416. Both false positives are on Registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\CODE STORE DATABASE\DISTRIBUTION UNITS

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE

Both false positives will be reported as "SearchSquire" (ThreatID 40276).

You will likely see more than just the above two Registry keys detected, though, because these two Registry keys store data for installed ActiveX controls in Windows. In addition to the above two Registry keys, you will likely also see detections for a number of sub-keys and values as well as files in the \Downloaded Program Files folder. All of these detections are being caused by the two erroneous Registry traces listed above.

Sunbelt became aware of the problem late Wednesday night/early Thursday morning. We will be pushing out corrected definitions later this morning. At present Sunbelt is working to turn off any further distribution of defs 416 from Sunbelt's update servers.

Until those corrected defs are released, we advise you not to quarantine or remove any "SearchSquire" detections from system scans using defs 416. If you have already quarantined SearchSquire traces from a scan with defs 416, you should unquarantine those traces.

We will announce the release of the corrected set of defs.

Best,

Eric L. Howes
Sunbelt Software

 

Hi All:

Sunbelt has now released Definitions version 417 for CounterSpy 1.5 and 2.0 beta (420 for CounterSpy 1.0). These definitions correct the SearchSquire false positives announced earlier.

Best,

Eric L. Howes

 

Thanks for the heads up Eric.

 

I did not correct it on mine. I'll run another scan and see if any different.

Edit, No, I have CS2 on two machines with both showing v 417, and the scans still show SearchSquire.
Jerry

 

Same here Jerry and until it's fully corrected We can just tell CounterSpy to ignore them, or always ignore.

Bubba

 

Yes, and they are aware if on the support forum. I will just tell to ignore.
Thanks,
Jerry

 

Hi All:

Those of you using CounterSpy 2.0 should be aware that there are some glitches with the incremental update system -- glitches that the devs are working on. One of those glitches involves incremental updates being applied in such a way that false positives corrected in our master database aren't corrected in the defs on the user's hard drive. (The other glitch involves incremental updates that simply fail to be merged properly.)

If you visit the Sunbelt beta forums and look in the "Definitions & Updates" forum you'll find a good, zipped copy of defs 417 that can be downloaded and manually installed. This known good copy of 417 will correct the SearchSquire false positives.

Best,

Eric L. Howes
Sunbelt Software

 

I can confirm the manual install does indeed fix the 417 FP's and have posted as such on the CounterSpy Forums. Thanks as always for the promptness in rectifying.

Bubba

 

Me too!
All is well now with the fix.
Thanks,
Jerry